A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them. This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun. Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.

1. fG! @ CODE BLUE 2015
Is there an EFI
monster inside
your apple?

2. Who am I?
§ An Economist.
§ Who loves Human Behavior.
§ And politics.
§ Oh, and a bit of computers.

5. EFI Monsters?
§ Introduction to EFI.
§ How to
§ Reverse engineer (U)EFI binaries.
§ Search for (U)EFI rootkits.

7. Assumptions
§ Reference machine
§ MacBook Pro Retina 10,1.
§ 64-bit only OS X versions.
§ Sandy Bridge or newer.

9. Why EFI?
§ BIOS replacement.
§ Initially developed by Intel.
§ http://www.intel.com/content/www/us/en/
architecture-and-technology/unified-extensible-
firmware-interface/efi-specifications-general-
technology.html
§ Now UEFI, managed by UEFI consortium.
§ http://www.uefi.org

10. Why EFI?
§ Initializes your machine.
§ Access to low level features.
§ Modular.
§ Feature rich.
§ Rather easy development in C.

12. What evil things can we do?
§ Diskless kernel/userland rootkits
§ Rootkit data stored in the flash chip.
§ Unpack and patch kernel on boot.
§ RAM only, never touch hard-disk.
§ Check Snare’s SyScan 2012 presentation.

13. What evil things can we do?
§ Can be hard to detect.
§ With regular available tools.
§ And with some anti-forensics.
§ For example anti-memory dumping.

14. What evil things can we do?
§ Persistence across operating system installs
§ HackingTeam built a UEFI rootkit.
§ https://github.com/hackedteam/vector-edk
§ https://github.com/informationextraction/vector-
edk/blob/master/MdeModulePkg/Application/
fsbg/fsbg.c

15. What evil things can we do?
§ Attack full-disk encryption
§ Install a keylogger.
§ Recover FileVault2 password.

16. What evil things can we do?
§ Attack “secure” operating systems
§ For example, Tails.
§ Recover PGP keys and/or passphrases.
§ https://www.youtube.com/watch?
v=sNYsfUNegEA.

17. What evil things can we do?
§ Bootloader
§ Redirect to a custom bootloader.
§ SMM backdoors
§ http://blog.cr4.sh/2015/07/building-reliable-
smm-backdoor-for-uefi.html

23. A zero day story…
§ Firmware related zero day.
§ Disclosed a few months ago.
§ https://reverse.put.as/2015/05/29/the-
empire-strikes-back-apple-how-your-mac-
firmware-security-is-completely-broken/

24. A zero day story…
§ Failure to lock the flash.
§ Write to the flash from userland.
§ Similar to Thunderstrike but better.
§ Thunderstrike requires physical access.
§ Prince Harming allows remote attack.

26. A zero day story…
§ Extremely simple to trigger.
§ Put machine to sleep.
§ Close, wait for fans to stop, and reopen.
§ Or force sleep with “pmset sleepnow”.

27. A zero day story…
§ Sandy Bridge and Ivy Bridge Macs are
vulnerable.
§ Haswell or newer are not.
§ All older machines are vulnerable
§ Core 2 Duo or older.
§ No flash protections at all.

28. A zero day story…
§ Available updates:
MacBook Air MacBook Pro Mac Mini Mac Pro iMac
4,1 8,1 5,1 6,1 12,1
5,1 9,1 6,1 13,1
6,1 10,1 7,1 14,1
7,1 10,2 14,2
11,1 14,3
11,2 14,4
11,4 15,1
12,1

29. A zero day story…
§ Reversing and understanding the
vulnerability.
§ https://reverse.put.as/2015/07/01/reversing-
prince-harmings-kiss-of-death/
§ Contains links to relevant EFI
documentation.

30. A zero day story…
§ Venamis aka Dark Jedi was also patched.
§ http://events.ccc.de/congress/2014/Fahrplan/
events/6129.html
§ http://blog.cr4.sh/2015/02/exploiting-uefi-
boot-script-table.html
§ Slightly more complex, same results.

31. A zero day story…
§ The story doesn’t end here.
§ Check ThunderStrike 2 slides.
§ Other unpatched vulnerabilities.
§ Can be exploited with remote attack
vectors.

34. Apple ...

36. Where is EFI?
§ Usually stored in a CMOS serial flash.
§ Two popular chips
§ Macronix MX25L6406E.
§ Micron N25Q064A.
§ SPI compatible.
§ Most are 64 Mbits/8 Mbytes.

37. Where is EFI?
§ Newer machines flash chip(s)
§ Winbond W25Q64FV.
§ Chip list from EfiFlasher.efi:
SST 25VF080 Macronix 25L1605 ST Micro M25P16 WinBond 25X32
SST 25VF016 Macronix 25L3205 ST Micro M25P32 Winbond 25X64
SST 25VF032 Macronix 25L6436E Eon M25P32 Winbond 25X128
SST 25VF064 Atmel 45DB321 Eon M25P16 Numonyx N25Q064

38. Where is EFI?
§ Most chips are 8 pin SOIC.
§ SMD or BGA versions used?
§ Retinas 13”?
§ New MacBook 12”?

39. Where is EFI?
§ You can buy the chips bulk and cheap.
§ Useful for flashing experiments.
§ Good results from Aliexpress.com.
§ Around $14 for 10 N25Q064A.
§ Around $8 for 10 MX25L640E.

40. Where is EFI?
§ Easy access on some models.
§ Retinas 15” are the easiest.
§ Extensive disassembly required on others.
§ Still, a MacBook Pro 8,1 can be
disassembled in 5 mins or less.

45. uv

47. How to dump EFI
§ Hardware
§ The best and most reliable way.
§ Trustable.
§ Software
§ Possible if chip supported by flashrom.
§ Not (very) trustable.

48. Hardware
§ Any SPI compatible programmer.
§ http://flashrom.org/Supported_programmers
§ I use Trammell Hudson’s SPI flasher.
§ https://trmm.net/SPI

49. Hardware
§ Based on Teensy 2.0 or 3.x.

50. Hardware
§ Easy to build.
§ Cheap, ~ $30.
§ Fast, dumps a 64Mbit flash in 8 mins.
§ The Teensy 3 version is even faster.
§ It just works!

51. Flash chip SPI pinout

52. Teensy 2.0 pinout

53. Teensy 2.0 pinout
§ Teensy 2 default voltage is 5v.
§ Flash chips are 3,3.v.
§ Requires voltage regulator MCP1825.
§ https://www.pjrc.com/store/mcp1825.html

54. Teensy 3.1 pinout

55. Tips & Tricks
§ Shunt WP and RST pins to VCC.
§ Different SPI pins names
§ SCLK, SCK, CLK.
§ MOSI, SIMO, SDO, DO, DOUT, SO, MTSR.
§ MISO, SOMI, SDI, DI, DIN, SI, MRST.
§ SS, nCS, CS, CSB, CSN, nSS, STE, SYNC.

56. Hardware
§ How to read entire flash

57. Hardware
§ How to write entire 64MB flash

58. Hardware
§ Linux works best to write the flash.
§ Some issues with OS X version.
§ pv or serial driver issues?
§ http://www.ivarch.com/programs/pv.shtml

59. Software
§ Requirements
§ Flashrom
§ DirectHW.kext
§ Rwmem by Trammell also works.
§ Or readphysmem.

60. Software
§ DarwinDumper.
§ Contains binary versions of flashrom and
DirectHW.kext.
§ Kernel extension is not code signed.
§ (Still) Whitelisted by Apple.

61. Software
§ http://flashrom.org/Flashrom
§ http://www.coreboot.org/DirectHW
§ https://bitbucket.org/blackosx/
darwindumper/downloads
§ https://github.com/osresearch/rwmem
§ https://github.com/gdbinit/readphysmem

65. Software
§ AppleHWAccess.kext.
§ readphysmem utility.
§ Can read bios without external kext.
§ Default on Mavericks and Yosemite.
§ Not anymore on El Capitan.

66. Software
§ Good enough to play around.
§ Mostly useless to chase (U)EFI rootkits.
§ Unless it is made by HackingTeam.
§ Their version makes no attempt to hide itself
from software dumps.

68. What’s in the flash

69. What’s in the flash

70. What’s in the flash

71. What’s in the flash

72. Descriptor region
§ Location of other regions.
§ Access permissions.
§ OS/BIOS shouldn’t access ME region.
§ VSCC configures ME flash access.

73. Intel ME region
§ A CPU inside your CPU J.
§ Runs Java.
§ Can be active with system powered off.
§ Out of band network access!
§ No access from BIOS and OS.

74. Intel ME region
§ Mostly a blackbox.
§ Three presentations by Igor Skochinsky.
§ Definitely requires more research!
§ Unpacker
§ http://io.smashthestack.org/me/

75. Intel ME region
§ Rootkit in your laptop: Hidden code in
your chipset and how to discover what
exactly it does
§ Intel ME Secrets
§ Intel ME: Two years later
§ https://github.com/skochinsky/papers

76. BIOS region
§ Contains
§ EFI binaries for different phases.
§ NVRAM.
§ Microcode (not for some models).
§ Each on its own firmware volume (FVH).

79. BIOS region
§ Everything is labeled with a GUID.
§ No filenames.
§ Many GUID can be found in EFI specs.
§ Others are vendor specific/private.
§ Google and luck are your friends!

83. EFI Boot Phases
§ Different initialization phases.
§ Make resources available to next phase.
§ Memory for example.

85. The PEI/DXE Dispatchers
§ PEI and DXE phases have a dispatcher.
§ Guarantees dependencies and load
order.
§ Dependency expressions.
§ Available as a section.

87. gFrameworkEfiMpServiceProtocol
Guid

89. Tools
§ UEFITool and UEFIExtract
§ https://github.com/LongSoft/UEFITool
§ Snare’s IDA EFI Utils
§ https://github.com/snare/ida-efiutils/
§ UEFI Firmware parser
§ https://github.com/snare/ida-efiutils/
§ CHIPSEC
§ https://github.com/chipsec/chipsec

90. EFI file types
§ Two executable file types.
§ PE32/PE32+ (as in Windows).
§ TE – Terse Executable.
§ 16/32/64 bit code, depending on phase.

91. TE file format
§ TE is just a stripped version of PE.
§ Unnecessary PE headers are removed.
§ To save space.
§ Used by SEC and PEI phase binaries.

92. TE file format
§ IDA unable to correctly disassemble.
§ Fails to parse the TE headers.
§ Afaik, still not fixed in 6.8.
§ Solution is to build your own TE loader.
§ https://github.com/gdbinit/TELoader

94. EFI Services
§ No standard libraries to link against.
§ Instead there are services.
§ Basic functions made available on each
phase.
§ Access via function pointers.

95. EFI Services

96. EFI Services

97. EFI Services
§ Each phase has different services.
§ Entrypoint function contains a pointer to
the tables.

98. EFI Services

99. EFI Services
§ Code that you often see in DXE drivers

101. Calling conventions
§ 32-bit binaries use standard C convention
§ Arguments passed on the stack.
§ SEC/PEI phase binaries.

103. Calling conventions
§ 64-bit binaries use Microsoft’s x64
§ First four arguments: RCX, RDX, R8, R9.
§ Remaining on the stack.
§ 32-byte shadow space on stack.
§ First stack argument starts at offset 0x20.
§ DXE phase binaries.

106. Protocols & PPIs
§ The basic services aren’t enough.
§ How are more services made available?
§ Via Protocols and PPIs.
§ Installed (published) by (U)EFI binaries.
§ Others can locate and use them.

107. Protocols & PPIs
§ Protocol (and PPI) is a data structure.
§ Contains an identification, GUID.
§ Optionally, function pointers and data.

109. Protocols & PPIs
§ Protocols exist in DXE phase.
§ PPIs exist in PEI phase.
§ In practice we can assume they are
equivalent.

110. Sample PPI usage
§ First, locate the PPI.

111. Sample PPI usage
§ Second, use it.

112. Sample Protocol usage

116. Apple EFI customizations
§ Apple specific modifications.
§ To reserved fields.
§ Must be taken care of.
§ Else bricked firmware.
§ UEFITool v0.27+ handles everything.

118. Apple EFI customizations
§ The first 8 bytes.
§ Constant between firmware volumes with
the same GUID.
§ Changes between versions?
§ Unknown meaning, doesn’t seem
relevant.

119. Apple EFI customizations
§ Next 4 bytes.
§ CRC32 value.
§ Of the firmware volume contents.
§ By spec, header got its own 16-bit
checksum.

122. Apple EFI customizations
§ Last 4 bytes.
§ Total space used by firmware files.
§ Must be updated if there are any
modifications to volume free space.
§ Bricked firmware if wrong.

125. 0xA0000 – 0x34E30 = 0x06B1D0

127. How to find EFI monsters
§ Dump the flash contents.
§ Via hardware, if possible.
§ Have a known good image.
§ A previously certified/trusted dump.
§ Or firmware updates.

128. How to find EFI monsters
§ Firmware updates available from Apple.
§ Direct downloads.
§ https://support.apple.com/en-us/HT201518
§ Or combined with OS installer or updates.
§ No hashes from Apple available (yet).

129. How to find EFI monsters
§ Only useful for machines with available
updates.
§ Newly released machines need to wait
for a firmware update.

130. How to find EFI monsters
§ Firmware & signatures vault
§ https://github.com/gdbinit/firmware_vault
§ Signed by my PGP key.
§ Extracted from available Apple updates.
§ Soon, the SMC updates.

131. How to find EFI monsters
§ Two file formats used for updates.
§ SCAP (most common).
§ FD (some newer and older models).
§ UEFITool can process both.

132. SCAP
§ EFI Capsule.
§ Used to deliver updates.
§ Recommended delivery mechanism.
§ Composed by firmware volumes.
§ Flash dumps parser can be reused.

133. u
v

134. SCAP
§ u is the EfiFlasher.efi or also known as
UpdateDriverDxe.
§ v are the BIOS region contents.
§ Encapsulated on different GUIDs.

135. u
v
w

136. SCAP
§ u is NVRAM region.
§ v is Microcode.
§ w is Boot volume.

137. SCAP
§ SCAP is signed.
§ RSA2048 SHA256.
§ Apple backported from UEFI.
§ First reported by Trammell Hudson.

139. How to find EFI monsters
§ Compare the flash dump against SCAP.
§ Locate all EFI binaries in the dump.
§ Checksum against SCAP contents.

140. How to find EFI monsters
§ We also need to verify:
§ New files.
§ Missing files.
§ Free/padding space?

141. How to find EFI monsters
§ Verify NVRAM contents!
§ Boot device is stored there.
§ HackingTeam had a new variable there.
§ A simple “fuse” to decide to infect or not
target system.

143. INFECT
SYSTEM
DO
NOT
INFECT
SYSTEM

144. How to find EFI monsters
§ Don’t forget boot.efi.
§ Not very stealth.
§ Always keep in mind that sophistication is
not always required!
§ If it works, why not?

145. How to find EFI monsters
§ SCAP is used by EfiFlasher.
§ We can stitch our own firmware.
§ Extract files from SCAP and build it.
§ Reflash via SPI.
§ Assumption that SCAP is legit.

146. How to find EFI monsters
§ Stitch utility still in TODO list.
§ Potential issues:
§ NVRAM contents?
§ Serial numbers?
§ Use current dump and just replace
binaries?

148. Conclusions
§ (U)EFI rootkits aren’t unicorns.
§ Although they are very rare.
§ Honestly, we don’t know what’s out there.
§ HackingTeam developed one in 2014.
§ Although it was too simple and not
advanced.

149. Conclusions
§ Chasing them requires hardware
assistance.
§ Disassembling computers monthly is not
scalable/efficient/viable.
§ How to deal with this at enterprise level?

150. Conclusions
§ Vendors are usually slow releasing
updates.
§ If they ever do it.
§ Check legbacore.com work.

151. Conclusions
§ SMC is another interesting chip.
§ Alex Ionescu and Andrea Barisani did
some work in this area.
§ Great rootkit possibilities?

152. Conclusions
§ Intel Management Engine (ME).
§ Big Pandora Box?
§ Security researchers should have easier
access to it.

153. Conclusions
§ Option ROMs.
§ Still an issue with Apple’s EFI
implementation.
§ No SecureBoot (signed OptionROMs).
§ Check Thunderstrike 2 OptionROM worm.

158. Conclusions
§ Trolling?
§ Real?
§ Maybe a mix of both.
§ Check Apple logic board schematics.
§ There’s a ton of interconnected stuff.

159. Conclusions
§ We need trusted hardware solutions.
§ If we can’t trust hardware we are wasting
a lot of time solving some software
problems.

160. Conclusions
§ Bring back physical protections?
§ Switches to enable:
§ Flash writes.
§ MIC.
§ Camera.
§ Etc...

161. Conclusions

163. Conclusions
§ Acer C720 & C720P Chromebook.
§ https://www.chromium.org/chromium-os/
developer-information-for-chrome-os-
devices/acer-c720-chromebook
§ #7 is a write-protect screw.

164. Conclusions
§ Might require new hardware design?
§ NVRAM needs to be writable.
§ An independent flash chip for writable
regions?
§ BOM/space restrictions?

165. Conclusions
§ Apple has a great opportunity here.
§ Full control of design and supply chain.
§ Can improve designs.
§ Can force faster updates.
§ Only matched by Chromebook?

167. Greetings
§ CODE BLUE team, Snare, Trammell, Xeno,
Corey, Saure, cr4sh.

168. https://reverse.put.as
https://github.com/gdbinit
reverser@put.as
@osxreverser
#osxre @ irc.freenode.net
PGP key
https://reverse.put.as/wp-content/uploads/2008/06/publickey.txt
PGP Fingerprint
7B05 44D1 A1D5 3078 7F4C E745 9BB7 2A44 ED41 BF05

169. A day full of possibilities!
Let's go exploring!

170. References
§ Images from images.google.com. Credit due to all their authors.
§ Thunderstrike presentation
§ https://trmm.net/Thunderstrike_31c3
§ Thunderstrike 2 presentation
§ https://trmm.net/Thunderstrike_2
§ Snare EFI rootkits presentations
§ https://reverse.put.as/wp-content/uploads/2011/06/
De_Mysteriis_Dom_Jobsivs_-_Syscan.pdf
§ https://reverse.put.as/wp-content/uploads/2011/06/
De_Mysteriis_Dom_Jobsivs_Black_Hat_Slides.pdf
§ Legbacore.com papers and presentations
§ http://legbacore.com/Research.html

171. References
§ Alex Ionescu, Ninjas and Harry Potter: “Spell”unking in Apple SMC
Land
§ http://www.nosuchcon.org/talks/2013/D1_02_Alex_Ninjas_and_Harry_Potter.pdf
§ Alex Ionescu, Apple SMC The place to be definitely For an implant
§ https://www.youtube.com/watch?v=nSqpinjjgmg
§ Andrea Barisani, Daniele Bianco, Practical Exploitation of Embedded
Systems
§ http://dev.inversepath.com/download/public/
embedded_systems_exploitation.pdf

172. References
§ fG!, The Empire Strikes Back Apple – how your Mac firmware
security is completely broken
§ https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-
mac-firmware-security-is-completely-broken/
§ fG!, Reversing Prince Harming’s kiss of death
§ https://reverse.put.as/2015/07/01/reversing-prince-harmings-kiss-of-death/
§ Cr4sh, Exploiting UEFI boot script table vulnerability
§ http://blog.cr4.sh/2015_02_01_archive.html

173. References
§ Cr4sh, Building reliable SMM backdoor for UEFI based platforms
§ http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html
§ Firmware papers and presentations timeline
§ http://timeglider.com/timeline/5ca2daa6078caaf4
§ Archive of OS X/iOS and firmware papers & presentations
§ https://reverse.put.as/papers/
§ ‪Intel ATR - Black Hat 2015 / Def Con 23 - Firmware rootkit‬
§ ‬https://www.youtube.com/watch?v=sJnIiPN0104&app=desktop